Don’t Trust That Tower

Nancy Friedrich | Oct 13, 2014

Current news headlines seem to scream weekly about hackers getting credit card and other secure information from stores, banks, etc. Meanwhile, concerns are already being voiced about spying that can be done via the famed and much-awaited “Internet of Things” (IoT). It also is possible to steal user information and data usage from cellular phones. Beyond identity theft, these threats raise concerns about what such breaches can mean for our national security—especially when our wireless infrastructure itself is called into question.

In an article titled, “Rogue cell towers discovered in Washington, D.C.” on CSO, the author reports that engineers and customers of ESD America (makers of the ultra-secure CryptoPhone) had discovered more than a dozen rogue cell towers (also known as interceptors or IMSI catchers) around the U.S. this past summer. There is a good chance that this number is only a small representation of the total interceptors that exist. It also fails to take into account mobile base stations, which may only be turned on temporarily.

The article notes that these interceptors are only supposed to be used by law enforcement or the government. According to CSO, “That's because once a device connects to them, the interceptor's operator can perform a number of tasks, including eavesdrop on calls or text messages, or in some cases push data (spyware for example) to the device.” Due to the suspected large number of interceptors in the US—from standard base stations to home-grown solutions—it also is possible that other countries or entities could be spying on the U.S.

Realizing the threat that could be posed by interceptors, Congress has pressured the Federal Communications Commission (FCC) to tackle this topic. Reportedly, the FCC responded by creating a task force “to combat the illicit and unauthorized use of IMSI catchers." Truly, however, this is not much of a fix. The carriers need to step up to secure the spectrum they use. While the official parties wrangle over this topic and try to come up with mandatory solutions, individuals need to be aware. For engineers working for defense contractors in particular: If your employer trusts you with design, financial, or any other type of secret, it is time to think about securing your cell phone with more than just a password.